49 lines
2.2 KiB
Diff
49 lines
2.2 KiB
Diff
From 9e5ac9f25cd400b16d5969f531cee28290543f2a Mon Sep 17 00:00:00 2001
|
|
From: Marcio Silva <marcio.a.silva@ibm.com>
|
|
Date: Wed, 12 Jul 2023 12:05:47 -0300
|
|
Subject: [PATCH] Fix for CVE-2023-38201 (Security Advisory
|
|
GHSA-f4r5-q63f-gcww)
|
|
|
|
In addition to remove the offending message, this patch also ensures
|
|
deletion of an agent's record from the database in case of failure after
|
|
a single attempt.
|
|
|
|
Signed-off-by: Marcio Silva <marcio.a.silva@ibm.com>
|
|
---
|
|
keylime/registrar_common.py | 15 +++++++++++++--
|
|
1 file changed, 13 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/keylime/registrar_common.py b/keylime/registrar_common.py
|
|
index 1fd97cd0c..7f15ae430 100644
|
|
--- a/keylime/registrar_common.py
|
|
+++ b/keylime/registrar_common.py
|
|
@@ -250,7 +250,9 @@ def get_network_params(
|
|
try:
|
|
port = int(port)
|
|
if port < 1 or port > 65535:
|
|
- logger.warning("Contact port for agent %s is not a number between 1 and got: %s.", agent_id, port)
|
|
+ logger.warning(
|
|
+ "Contact port for agent %s is not a number between 1 and 65535 got: %s.", agent_id, port
|
|
+ )
|
|
port = None
|
|
except ValueError:
|
|
logger.warning("Contact port for agent %s is not a valid number got: %s.", agent_id, port)
|
|
@@ -447,7 +449,16 @@ def do_PUT(self) -> None:
|
|
logger.error("SQLAlchemy Error: %s", e)
|
|
raise
|
|
else:
|
|
- raise Exception(f"Auth tag {auth_tag} does not match expected value {ex_mac}")
|
|
+ if agent_id and session.query(RegistrarMain).filter_by(agent_id=agent_id).delete():
|
|
+ try:
|
|
+ session.commit()
|
|
+ except SQLAlchemyError as e:
|
|
+ logger.error("SQLAlchemy Error: %s", e)
|
|
+ raise
|
|
+
|
|
+ raise Exception(
|
|
+ f"Auth tag {auth_tag} for agent {agent_id} does not match expected value. The agent has been deleted from database, and a restart of it will be required"
|
|
+ )
|
|
|
|
web_util.echo_json_response(self, 200, "Success")
|
|
logger.info("PUT activated: %s", agent_id)
|